Business identity theft is one of the fastest-growing financial crimes in the United States, yet most small business owners have never heard of it. Unlike personal identity theft, where criminals steal an individual's Social Security number, business identity theft targets your company's EIN, registration, and credit profile to open fraudulent accounts, lease equipment, and file fake tax returns. The average incident costs over $10,000, and recovery can take months. Here is how to protect your business.
What Is Business Identity Theft?
Business identity theft occurs when a criminal assumes the identity of an existing business to commit fraud. Rather than creating a fake company, the thief hijacks your legitimate business registration, credit history, and reputation to:
- Open business credit lines in your company's name at banks and lenders
- Lease expensive equipment such as vehicles, copiers, or construction machinery that they never intend to return or pay for
- Order inventory on credit from suppliers who believe they are dealing with your established business
- File fraudulent tax returns with the IRS using your EIN to claim refunds
- Change your business registration with the Secretary of State to redirect mail, change the registered agent, or alter the business address
This is fundamentally different from personal identity theft. Criminals target businesses because business credit lines are often larger, verification processes can be weaker, and many small businesses do not monitor their business credit the way individuals monitor personal credit.
Small Businesses Are the Primary Target
Small businesses and LLCs are especially vulnerable because they typically lack dedicated fraud monitoring resources. A sole proprietor or small LLC owner may not discover the theft until they receive unexpected bills, get rejected for a loan they never applied for, or receive IRS notices about filings they did not make. By that point, the damage can be extensive and the criminal long gone.
How Criminals Steal a Business Identity
Understanding the methods criminals use is the first step toward prevention. Here are the most common attack vectors:
Secretary of State Filing Fraud
In many states, anyone can file amendments to a business registration with the Secretary of State. Criminals exploit this by filing fraudulent changes to your company's registered agent, business address, or officer names. Once they control the registration, they can order certified copies of your business documents and use them to open credit accounts.
EIN Theft
Your Employer Identification Number is the business equivalent of a Social Security number. If a criminal obtains your EIN, which is often available through public filings, they can use it to open accounts, apply for credit, and file tax returns in your company's name. Unlike a Social Security number, there is no way to freeze an EIN.
Personal Data as a Gateway
This is where personal privacy and business security intersect directly. Data broker sites publish business owners' personal information, including home addresses, phone numbers, email addresses, and known business affiliations. Criminals use this personal data to answer security questions, impersonate the business owner on phone calls with banks and lenders, and piece together enough information to pass identity verification checks.
Mail and Document Theft
Physical mail theft remains a common entry point. Intercepting bank statements, tax documents, or business correspondence gives criminals the details they need to impersonate your business.
Warning Signs of Business Identity Theft
Business identity theft often goes undetected for weeks or months. Watch for these red flags:
- Unexpected bills or invoices for products, services, or equipment you did not order
- Unfamiliar credit inquiries on your business credit report from lenders you have never contacted
- Mail from unknown lenders approving or denying credit applications you did not submit
- IRS notices about tax filings, EIN applications, or discrepancies you did not cause
- Rejected loan applications due to existing debt you do not recognize
- Changes to your Secretary of State filing that you did not authorize, such as a new registered agent or business address
- Calls from collection agencies about debts your business did not incur
Check Your Business Credit Regularly
Unlike personal credit, which most people check at least annually, business credit often goes completely unmonitored. Dun and Bradstreet, Experian Business, and Equifax Business all offer business credit reports. Review yours at least quarterly to catch unauthorized inquiries or new accounts early.
How to Protect Your Business From Identity Theft
1. Monitor Your Business Credit
Set up monitoring with the three major business credit bureaus: Dun and Bradstreet, Experian Business, and Equifax Business. Many offer alert services that notify you of new inquiries or changes to your business credit profile. This is the single most important step you can take.
2. Protect Your EIN
Treat your EIN with the same care you give your Social Security number. Do not share it unnecessarily, do not include it on documents that do not require it, and never transmit it via unencrypted email. If your EIN appears in public filings, be aware that criminals may already have access to it.
3. Register for Secretary of State Fraud Alerts
Several states, including Washington, offer fraud alert programs through their Secretary of State office. These programs notify you when someone attempts to file changes to your business registration, giving you an opportunity to reject unauthorized modifications before they take effect. Check whether your state offers a similar program and enroll immediately.
4. Use a Registered Agent Service
A registered agent service receives legal and government correspondence on behalf of your business, keeping your personal home address off public filings. This adds a layer of separation between your personal information and your business registration, making it harder for criminals to intercept your mail or impersonate you.
5. Separate Business and Personal Accounts
Use dedicated business email addresses, phone numbers, and bank accounts. Never use personal credentials for business purposes. This limits the damage if either your personal or business information is compromised and makes it easier to detect unauthorized activity.
6. Secure Physical and Digital Documents
Store business formation documents, tax returns, bank statements, and EIN verification letters in a secure location. Use encrypted digital storage for electronic copies. Shred any physical documents that contain sensitive business information before disposing of them.
7. Remove Your Personal Information From Data Broker Sites
This step is often overlooked, but it is critical. Data broker sites publish business owners' personal details, including home addresses, phone numbers, email addresses, and known business affiliations. Criminals use this information to impersonate business owners, answer security questions, and pass identity verification checks.
A data removal service like PrivacyOn removes your personal information from 100+ data broker sites automatically and monitors for re-listings 24/7. At $8.33/month, it eliminates one of the most accessible attack vectors criminals use to gather the personal details they need to steal a business identity. PrivacyOn also includes dark web monitoring, which alerts you if your personal credentials or business-related information appear on underground marketplaces, and family plans that protect up to 5 household members.
8. File Your Business Tax Returns Early
Filing your business tax returns as early as possible reduces the window for criminals to file fraudulent returns using your EIN. If the IRS receives a legitimate return first, a fraudulent return filed later will be flagged automatically.
9. Set Up IRS Identity Protection
The IRS offers identity theft resources for businesses, including the ability to report suspected identity theft and request an Identity Protection PIN for certain filing situations. If you suspect your EIN has been compromised, contact the IRS Business Identity Theft unit immediately.
What to Do If Your Business Identity Is Stolen
If you discover that your business identity has been compromised, act quickly:
- File a report with the FTC at IdentityTheft.gov, which generates a recovery plan
- Contact the IRS Business Identity Theft unit if your EIN has been misused for tax filings
- Notify your Secretary of State to flag your business registration and reverse any unauthorized changes
- Alert the business credit bureaus (Dun and Bradstreet, Experian Business, Equifax Business) to place fraud alerts on your business credit profile
- Contact your bank and lenders to flag any accounts that may have been opened fraudulently
- File a police report with your local law enforcement agency to create an official record
- Document everything including dates, communications, and financial impact for potential legal proceedings
The Bottom Line
Business identity theft is a serious and growing threat that can cost your company thousands of dollars and months of recovery time. Small businesses and LLCs are the most common targets because they often lack the monitoring infrastructure to detect fraud early.
Prevention starts with monitoring your business credit, protecting your EIN, securing your Secretary of State filings, and removing the personal information that criminals use to impersonate you. That last step is where most business owners have a blind spot. Your personal data on broker sites is a direct pathway to your business identity.
Take action today: Run a free scan with PrivacyOn to see how much of your personal information is exposed on data broker sites and the dark web. Removing that data is one of the most effective steps you can take to protect both your personal privacy and your business.